Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

U.S. Department of Defense discloses details about critical and high severity issues

The U.S. Department of Defense has disclosed the details about four critical and high severity vulnerabilities in its infrastructure. The U.S. Department of Defense has disclosed details of four vulnerabilities in its infrastructure, two high severity rating issues and other two critical flaws. The vulnerabilities could be exploited by threat actors to hijack a subdomain, […]

cyber policy Location Data

The U.S. Department of Defense has disclosed the details about four critical and high severity vulnerabilities in its infrastructure.

The U.S. Department of Defense has disclosed details of four vulnerabilities in its infrastructure, two high severity rating issues and other two critical flaws.

The vulnerabilities could be exploited by threat actors to hijack a subdomain, execute arbitrary code remotely, or view files on the vulnerable system.

The vulnerabilities were reported in August and July through the Department’s bug bounty program operated via HackerOne.

One of the critical issues is a subdomain takeover due to an unclaimed Amazon S3 bucket.

The ethical hacker chron0x who reported the flaw discovered that the subdomain was referencing an Amazon S3 bucket in the US East region that did no longer exists. The hackers claimed this bucket and successfully took over the subdomain.

“This is extremely vulnerable to attacks as a malicious user could create any web page with any content and host it on the deployedmedicine.com domain.” reads the advisory. “This would allow them to post malicious content which would be mistaken for a valid site. They could:

  • XSS
  • Phishing
  • Bypass domain security
  • Steal sensitive user data, cookies, etc.”

An attacker could exploit the issue to target visitors of the website with phishing and cross-site scripting attacks. 

The second critical flaw is a remote code execution on a DoD server running Apache Solr that had been left unpatched since August 2019.

The vulnerability was reported by the ethical hacker Hzllaga on August 19.

The expert discovered that the server was vulnerable to CVE-2019-0192 and CVE-2019-0193, he successfully exploited CVE-2019-0193 and successfully remotely executed arbitrary code.

One of the high-severity issues disclosed by the Department is an unpatched read-only path traversal in a Cisco product used by the agency. The issue could be exploited to access arbitrary sensitive files on the system.

The second high-severity issue is a code injection on a DoD host that may lead to arbitrary code execution. The flaw was reported by e3xpl0it from Positive Technologies.

The DoD quickly addressed all the vulnerabilities.

Since the DoD launched a bug bounty program on HackerOne in November 2016, it addressed a total of 9555 security issues.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, U.S. Department of Defense)

[adrotate banner=”5″]

[adrotate banner=”13″]